CVE-2020-12406

CVSS v3.1 8.8 (High)

CVSS v2.0 9.3 (High)

EPSS 0.31 % (70^th)

Affected Products 4

Advisories 32

Mozilla Developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

Weaknesses

CWE-345: Insufficient Verification of Data Authenticity

CVE Status: PUBLISHED
CNA: Mozilla Corporation
Published Date: 2020-07-09 15:15:11
(4 years ago)
Updated Date: 2023-01-27 16:48:38
(19 months ago)

Affected Products

Canonical

Ubuntu Linux

Mozilla

Configuration #1

	CPE23	Up To
Mozilla Firefox prior 77.0 version	cpe:2.3:a:mozilla:firefox	< 77.0
Mozilla Firefox Esr prior 68.9.0 version	cpe:2.3:a:mozilla:firefox_esr	< 68.9.0
Mozilla Thunderbird prior 68.9.0 version	cpe:2.3:a:mozilla:thunderbird	< 68.9.0

Configuration #2

		CPE23	From	Up To
	Canonical Ubuntu Linux 16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04:::*:esm
	Canonical Ubuntu Linux 18.04	cpe:2.3:o:canonical:ubuntu_linux:18.04:::*:lts
	Canonical Ubuntu Linux 19.10	cpe:2.3:o:canonical:ubuntu_linux:19.10
	Canonical Ubuntu Linux 20.04	cpe:2.3:o:canonical:ubuntu_linux:20.04:::*:lts